A New Twist In SSDP Attacks
Arbor ASERT has uncovered a new class of SSDP abuse where naïve devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets have ephemeral source and destination ports, making mitigation more difficult - a SSDP diffraction attack. This behavior appears to stem from broad re-use in CPE devices of the open source library libupnp. Evidence from prior DDoS events suggest that attackers are aware of this behavior and may choose a pool of these misbehaving victims based on the efficacy of their attack. Using Arbor products to mitigate these attacks require inspecting packet content to filter the flood of SSDP replies and non-initial fragments.
Key Findings •
- SSDP has been abused for reflection/amplification attacks for many years. In 2015, Arbor identified attacks utilizing SSDP traffic from ephemeral source ports.
- SSDP diffraction attacks that use ephemeral ports can defeat naïve port filtering mitigations.
- Surprisingly, the majority of the roughly 5 million SSDP servers reachable via the public Internet will respond from an ephemeral source port.
- The behavior stems from use of the open source library libupnp, which appears to be used in a variety of CPE devices.
- Defending against SSDP diffraction attacks requires inspecting packet content.